vault-provision 0.1.7 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b2e8cf0b171c758a895533f49beea72020c3c896
-  data.tar.gz: d2a707becbc4948a640bcf2551366dc48697b793
+  metadata.gz: 2b899b07ba3632b5568363ad5dd4f0c446eb3c19
+  data.tar.gz: b88d77a6a1fd6848022025963a9be18390afe997
 SHA512:
-  metadata.gz: e8fc2e530d46a7d53c1dfc5cf201bdacd618eaf3bc750f1aee3b44704302187e4cbf1497997801fe003c04f95fb5b71cdbbe3bf51f8bf5b9e5f025dcd8ea8280
-  data.tar.gz: 0d52f65e886b0dfcf1b53f0395910fea8836e8f9098a2b90b6d4262e0c51d39312e03a2472e593b357c69d1a8e5e733d1804a11ea8d3dfe673de872800122aca
+  metadata.gz: fe576f3c3c977abce9e97da0181d3fb948c057791f18b12c470cc1f82b61e3519af167389139eadf6ffea144cf1c98ffa11824dfe1606d3af9c040443f94e7c2
+  data.tar.gz: 63b14e18917b623d5e448ed4524c887199a6757bafa9be2184a5309e070dc5eda386e63428d8f4ea666fbb87dbd8b7f3aa8fd0074616ede502bfc0d65e89e23e

data/.rubocop.yml

@@ -0,0 +1,2 @@
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact

data/Gemfile.lock

@@ -4,7 +4,7 @@ PATH
     vault-provision (0.1.7)
       activesupport (~> 5.0, >= 5.0.2)
       rhcl (~> 0.1.0)
-      vault (~> 0.9)
+      vault (~> 0.10)
 
 GEM
   remote: https://rubygems.org/
@@ -49,7 +49,7 @@ DEPENDENCIES
   rhcl (~> 0.1.0)
   rspec (~> 3.5.0)
   rspec-core (~> 3.5.4)
-  vault (~> 0.10.1)
+  vault (~> 0.10)
   vault-provision!
 
 BUNDLED WITH

data/VERSION

@@ -1 +1 @@
-0.1.7
+0.1.8

data/examples/basic/secret/bar/bad.json

@@ -0,0 +1,4 @@
+{
+    "😡": "How I feel when people put secrets in source code.",
+    "😀": "How I feel when people put non-secret config data in k/v stores with decent access control policies" 
+}

data/examples/basic/secret/baz/yummy.json

@@ -0,0 +1,4 @@
+{
+    "ice_cream": "🍦 🍨 ",
+    "bear": "🐻  rawr!"
+}

data/examples/basic/secret/foo/good.json

@@ -0,0 +1,4 @@
+{
+    "raindrops": "on roses",
+    "whiskers": "on kittens"
+}

data/lib/vault/provision/pki/config/{crl.json → crl.rb}

@@ -1,5 +1,5 @@
 # config crl & distribution points for CAs
-class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
+class Vault::Provision::Pki::Config::Crl < Vault::Provision::Prototype
   include Vault::Provision::Pki
 
   def provision!

data/lib/vault/provision/pki/config/urls.rb

@@ -15,8 +15,9 @@ class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
   end
 
   def provision!
-    repo_files.each do |rf|
+    repo_files_by_mount_type('pki').each do |rf|
       mount_point = rf.split('/')[-3]
+      next unless FileTest.file?(urls_file(mount_point))
       @vault.post "v1/#{mount_point}/config/urls", File.read(rf)
     end
   end

data/lib/vault/provision/pki/config.rb

@@ -2,3 +2,4 @@
 class Vault::Provision::Pki::Config; end
 
 require 'vault/provision/pki/config/urls'
+require 'vault/provision/pki/config/crl'

data/lib/vault/provision/pki/intermediate/generate/internal.rb

@@ -6,17 +6,10 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
     "#{@instance_dir}/#{mount_point}/intermediate/generate/internal.json"
   end
 
-  def repo_files
-    mounts = @vault.sys.mounts
-    generators = mounts.keys.select do |mp|
-      mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
-    end
-    generators.map { |mp| gen_file(mp) }
-  end
-
   def provision!
-    repo_files.each do |rf|
+    repo_files_by_mount_type('pki').each do |rf|
       mount_point = rf.split('/')[-4]
+      next unless FileTest.file?(gen_file(mount_point))
       next if generated? mount_point
       next unless @pki_allow_destructive
       resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",

data/lib/vault/provision/pki/roles.rb

@@ -3,22 +3,14 @@ class Vault::Provision::Pki::Roles < Vault::Provision::Prototype
   include Vault::Provision::Pki
 
   def repo_files
-    mounts = @vault.sys.mounts
-    pki_mounts = mounts.keys.select { |mp| mounts[mp].type == 'pki' }
-    roles = []
-    pki_mounts.each do |mp|
-      Find.find("#{@instance_dir}/#{mp}/roles/").each do |rf|
-        next unless rf.end_with? '.json'
-        roles << rf
-      end
-    end
-    roles
+    repo_files_by_mount_type('pki').select { |rf| rf.split('/')[-2] == 'roles' }
   end
 
   def provision!
     repo_files.each do |rf|
       mount_point = rf.split('/')[-3]
       role_name = File.basename(rf, '.json')
+      puts "  * #{role_name}"
       @vault.post "v1/#{mount_point}/roles/#{role_name}", File.read(rf)
     end
   end

data/lib/vault/provision/pki/root/generate/internal.rb

@@ -6,17 +6,10 @@ class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Protot
     "#{@instance_dir}/#{mount_point}/root/generate/internal.json"
   end
 
-  def repo_files
-    mounts = @vault.sys.mounts
-    generators = mounts.keys.select do |mp|
-      mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
-    end
-    generators.map { |mp| gen_file(mp) }
-  end
-
   def provision!
-    repo_files.each do |rf|
+    repo_files_by_mount_type('pki').each do |rf|
       mount_point = rf.split('/')[-4]
+      next unless FileTest.file?(gen_file(mount_point))
       next if generated? mount_point
       next unless @pki_allow_destructive
       @vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)

data/lib/vault/provision/prototype.rb

@@ -24,6 +24,22 @@ class Vault::Provision::Prototype
     Find.find(repo_path).select { |rf| rf.end_with?('.json') }
   end
 
+  def repo_files_by_mount_type type
+    mounts = @vault.sys.mounts
+    my_mounts = mounts.keys.select { |mp| mounts[mp].type == type }
+
+    files = []
+    my_mounts.each do |mp|
+      next unless Dir.exist? "#{@instance_dir}/#{mp}"
+      Find.find("#{@instance_dir}/#{mp}").each do |rf|
+        next unless rf.end_with? '.json'
+        files << rf
+      end
+    end
+    files
+  end
+
+
   def provision!
     puts "#{self.class} says: Go climb a tree!"
   end

data/lib/vault/provision/secret.rb

@@ -0,0 +1,19 @@
+# Generic secret (k/v pairs) backend provisioning
+#
+# WARNING: Use of this module will inevitably lead you down
+# the path of commiting secrets into repositories. Sometimes,
+# that's ok! For example, consider using Vault's generic backend
+# to store non-secret data, like a set of public certificates
+# (but not their private keys).
+# https://www.vaultproject.io/api/secret/generic/index.html
+class Vault::Provision::Secret < Vault::Provision::Prototype
+  def provision!
+    repo_files_by_mount_type('generic').each do |rf|
+      validate_file! rf
+      kv_path = rf.sub(/\A#{@instance_dir}/, '').sub(/.json\z/, '')
+
+      puts "  * #{kv_path}"
+      @vault.post "v1/#{kv_path}", File.read(rf)
+    end
+  end
+end

data/lib/vault/provision.rb

@@ -7,7 +7,7 @@ require 'vault/provision/prototype'
 require 'vault/provision/auth'
 require 'vault/provision/sys'
 require 'vault/provision/pki'
-require 'vault/provision/generic'
+require 'vault/provision/secret'
 
 # controller for the children
 class Vault::Provision
@@ -34,7 +34,7 @@ class Vault::Provision
       Pki::Intermediate::Generate::Internal,
       Pki::Config::Urls,
       Pki::Roles,
-      Generic,
+      Secret,
       Sys::Policy,
       Auth::Ldap::Groups,
       Auth::Approle

data/spec/vault_provision_spec.rb

@@ -94,4 +94,21 @@ describe Vault::Provision do
     expect(resp[:data]).to be
     expect(resp[:data][:role_id]).to be == 'robert_paulson'
   end
+
+  it "can provision generic k/v pairs" do
+    good = client.get('v1/secret/foo/good')
+    expect(good[:data]).to be
+    expect(good[:data][:whiskers]).to be == 'on kittens'
+
+    bad = client.get('v1/secret/bar/bad')
+    expect(bad[:data][:'😡']).to be \
+      == 'How I feel when people put secrets in source code.'
+    expect(bad[:data][:'😀']).to be \
+      == 'How I feel when people put non-secret config data in k/v stores with decent access control policies'
+
+    yummy = client.get('v1/secret/baz/yummy')
+
+    expect(yummy[:data]).to be
+    expect(yummy[:data][:bear]).to be == '🐻  rawr!'
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault-provision
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - Tom Maher
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-21 00:00:00.000000000 Z
+date: 2017-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -93,6 +93,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - Gemfile.lock
 - README.md
@@ -122,6 +123,9 @@ files:
 - examples/basic/pki-root/roles/.keep
 - examples/basic/pki-root/roles/unlimited.json
 - examples/basic/pki-root/root/generate/internal.json
+- examples/basic/secret/bar/bad.json
+- examples/basic/secret/baz/yummy.json
+- examples/basic/secret/foo/good.json
 - examples/basic/sys/auth.json
 - examples/basic/sys/auth/.keep
 - examples/basic/sys/auth/approle.json
@@ -153,7 +157,7 @@ files:
 - lib/vault/provision/generic.rb
 - lib/vault/provision/pki.rb
 - lib/vault/provision/pki/config.rb
-- lib/vault/provision/pki/config/crl.json
+- lib/vault/provision/pki/config/crl.rb
 - lib/vault/provision/pki/config/urls.rb
 - lib/vault/provision/pki/intermediate.rb
 - lib/vault/provision/pki/intermediate/generate.rb
@@ -165,6 +169,7 @@ files:
 - lib/vault/provision/pki/root/generate/exported.rb
 - lib/vault/provision/pki/root/generate/internal.rb
 - lib/vault/provision/prototype.rb
+- lib/vault/provision/secret.rb
 - lib/vault/provision/sys.rb
 - lib/vault/provision/sys/auth.rb
 - lib/vault/provision/sys/policy.rb
@@ -192,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Provisioning utility for HashiCorp's Vault